Preimage Attacks on 3-Pass HAVAL and Step-Reduced MD5

Transcription

1 Preimage Attacks on 3-Pass HAVAL and Step-Reduced MD5 Jean-Philippe Aumasson 1, Willi Meier 1, and Florian Mendel 2 1 FHNW, Windisch, Switzerland 2 IAIK, Graz University of Technology, Graz, Austria Abstract. This paper presents preimage attacks on the hash functions 3-pass HAVAL and step-reduced MD5. Introduced in 1992 and 1991 respectively, these functions underwent severe collision attacks, but no preimage attack. We describe two preimage attacks on the compression function of 3-pass HAVAL. The attacks have a complexity of about compression function evaluations instead of We present several preimage attacks on the MD5 compression function that invert up to 47 steps (out of 64) within 2 96 trials instead of Although our attacks are not practical, they show that the security margin of 3-pass HAVAL and step-reduced MD5 with respect to preimage attacks is not as high as expected. Keywords: cryptanalysis, hash function, preimage attack. 1 Introduction A cryptographic hash function h maps a message M of arbitrary length to a fixed-length hash value H and has to fulfill the following security requirements: Collision resistance: it is infeasible to find two messages M and M, with M M, such that h(m) = h(m ). Second preimage resistance: for a given message M, it is infeasible to find a second message M M such that h(m) = h(m ). Preimage resistance: for a given hash value H, it is infeasible to find a message M such that h(m) = H. The resistance of a hash function to collision and (second) preimage attacks depends in the first place on the length n of the hash value. Regardless of how a hash function is designed, an adversary will always be able to find preimages or second preimages after trying out about 2 n different messages. Finding collisions requires a much smaller number of trials: about 2 n/2 due to the birthday paradox. A function is said to achieve ideal security if these bounds are guaranteed. The work in this paper was supported in part by the Austrian Science Fund (FWF), project no. P Supported by the Swiss National Science Foundation, project no Supported by GEBERT RÜF STIFTUNG, project no. GRS-069/07.

2 Recent cryptanalytic results on hash functions mainly focus on collision attacks but only few results with respect to preimages have been published to date. In this article, we analyze the preimage resistance of the hash functions MD5 and HAVAL. Both are iterated hash functions based on the Merkle-Damgård design principle. MD4 and MD5 both underwent critical collision attacks [4, 7, 8, 17 19], and hence should not be used anymore. But in practice MD5 is still widespread and remains secure for applications that do not require collision resistance. While three preimage attacks on MD4 are known [3, 5, 6], the picture is different for MD5: using a SAT-solver De et al. [3] inverted 26 (out of 64) steps of MD5, and no analytical attack is known to date. Idem for HAVAL: while several collision attacks [7,13,20,21] and even a second preimage attack [9] were published, no preimage attack is known. Independent Work. Sasaki and Aoki discovered preimage attacks on roundreordered and step-reduced MD5 [14]: their best attack with original roundordering inverts 44 steps of the compression function within 2 96 trials, starting at the step 3 and ending at step 46. They subsequently improved this result in a paper presented at this workshop [15]. Our Contribution. First, we invert the compression function of MD5 reduced to 45 steps by using a meet-in-the-middle approach. The attack makes about compression function evaluations and needs negligible memory. Second, we exploit special properties of the permutations used in the compression function to extend this attack to 47 steps (out of 64). The attack has a complexity of 2 96 compressions and memory requirements of 2 36 bytes. Third, we extend the attacks on the compression function to the hash function by using a meet-in-themiddle and tree-based approach. With this method we can construct preimages for MD5 reduced to 45 and 47 steps with a complexity of about and compression function evaluations and memory requirements of 2 39 bytes. Similar strategies can be applied to the compression function of HAVAL. We can invert the compression function of 3-pass HAVAL with a complexity of about compression function evaluations and memory requirements of 2 69 bytes. We can turn the attack on the compression function into a preimage attack on the hash function with a complexity of about compression function evaluations and memory requirements of 2 70 bytes. Outline. The article is structured as follows. 2 presents two methods to invert to compression function of MD5 reduced to 45 and 47 steps. We use the same methods to invert the compression function of 3-pass HAVAL in 3. In 4, we show how the attacks on the compression function of MD5 and HAVAL can be extended to preimage attacks on the hash function, and 5 concludes. 2 Preimage Attacks on Step-Reduced MD5 This section presents two techniques to invert the MD5 compression function. The first attack on 45 steps is based on a standard meet-in-the-middle (MITM)

3 and requires about trials. The second attack inverts up to 47 steps, and exploits special properties of the message ordering. Combined with a MITM, we construct a preimage attack with complexity about 2 96 trials. But prior to that, we provide a brief description of MD5 and illustrate the basic idea of our attacks over 32 steps. 2.1 Short Description of MD5 The MD5 compression function takes as input a 512-bit message block and a 128-bit chain value and outputs another 128-bit chain value. Fig. 1. The step function of MD5. The input chain value H 0...H 3 is first copied into registers A 0...D 0 : (A 0,B 0,C 0,D 0 ) (H 0,H 1,H 2,H 3 ). This inner state is then transformed by a series of 64 steps and the output is (H0,H 1,H 2,H 3) = (A 64 + A 0,B 64 + B 0,C 64 + C 0,D 64 + D 0 ). (1) where A 64...D 64 are defined by the recursion below: A i = D i 1 B i = B i 1 + (A i 1 + f i (B i 1,C i 1,D i 1 ) + M σ(i) + K i ) r i C i = B i 1 D i = C i 1

4 The K i s and r i s are predefined constants and σ(i) s are in Table 1. The function f i is defined as f i (B,C,D) = (B C) ( B D) if 0 < i 16 f i (B,C,D) = (D B) ( D C) if 16 < i 32 f i (B,C,D) = B C D if 32 < i 48 f i (B,C,D) = C (B D) if 48 < i 64 Fig. 1 gives a schematic view of the step function, and [12] gives a complete specification. Table 1. Values of σ(i) in MD5 for i = 1,..., 64 (we boldface the M 2 key inputs used in the attacks on 32 and 47 steps, and the M 6 and M 9 key inputs used in the attack on 45 steps). Step index i Message word σ(i) Step index i Message word σ(i) Step index i Message word σ(i) Step index i Message word σ(i) Fact 1 At step i only B i is a really new value, the others are just shifted as in a feedback shift register. Hence for i = 0,...,60 we have B i = C i+1 = D i+2 = A i+3. Fact 2 The step function is invertible, i.e. from A i...d i and M σ(i) we can always compute A i 1...D i 1. Removing the feedforward by H 0...H 3 in Eq. (1) would thus make the compression function trivially invertible. 2.2 Preimage Attack on 32 Steps This attack computes preimages for the 32-step compression function within about 2 96 trials (instead of ). It introduces two tricks used in the 45- and 47-step attacks: absorption of changes in C 0 and exploitation of the ordering of the message words. Key Facts. Observe in Table 1 that M 2 is only input at the very beginning and the very end of 32-step MD5, namely at steps 3 and 30. Hence, if we could pick a message and freely modify M 2 such that B 3 stays unchanged, we would be able to choose B 30 = C 31 = D 32 (cf. Fact 1). A key observation is that the function

5 f i can either preserve or absorb an input difference: indeed for 0 < i 16 and any C and D we have f i (0x ,C,D) = (0 C) (0xffffffff D) = D (2) f i (0xffffffff,0,D) = (0xffffffff 0) (0 D) = 0 (3) These properties will be used to absorb a change in C 0 = D 1 = A 2 at steps 1 and 2. More precisely, we need that B 0 = 0 to absorb the changes of C 0 at step 1. And to absorb the change in D 1 = C 0 we need that B 1 = 0xffffffff. We can now sketch the attack: 1. pick a chain value H 0...H 3 = A 0...D 0 (with certain constraints) 2. pick a message M 0...M 15 (with certain constraints) 3. modify M 2 to choose B 30 = C 31 = D modify H 2 = C 0 such that the change in M 2 doesn t alter subsequent A i...d i Our strategy is inspired from Leurent s MD4 inversion [6]; the main difference is that [6] exploits absorption in the second round, whereas we use it in the early steps. Description of the Attack. Suppose we seek a preimage of H = H0... H 3. The algorithm below first sets B 0 = 0 and B 1 = 0xffffffff, to guarantee that a change in C 0 will only affect A 2. Then, from an arbitrarily chosen message, Algorithm 1 modifies M 2 in order to meet in the middle. Finally, C 0 corrects the change in M 2, and this new value of C 0 does not affect the initial steps of the function. Algorithm 1 Preimage attack on 32-step MD5. 1. set B 0 = 0 and A 0, C 0, D 0 to arbitrary values 2. repeat 3. pick M 0 such that B 1 = 0xffffffff 4. pick arbitrary values for M 1... M compute A D modify M 2 to get B 30 = D 32 = H D 0 7. correct C 0 to keep B 3 unchanged 8. compute the final hash value H = H0... H3 9. if H = H then 10. return A 0... D 0 and M 0... M 15 Algorithm 1 makes about 2 96 trials by choosing 32 bits in the 128-bit image and bruteforcing the 96 remaining bits. (We denote H = H 0...H 3 a final hash value, so our goal is to have in the end H = H.)

6 Correctness of the Attack. We now explain in details why the attack works. First, the operation at line 3 of our algorithm is feasible because it corresponds to setting M 0 = 0xffffffff A 0 D 0 K 0. (4) Then right after line 4 we have for any choice of C 0 : 1. f 1 (B 0,C 0,D 0 ) = f 1 (0,C 0,D 0 ) = D 0 2. f 2 (B 1,C 1,D 1 ) = f 2 (0xffffffff,C 1 = B 0,D 1 ) = 0 In other words, the first two steps are independent of C 0. This will allow us to modify C 0 = D 1 = A 2 to correct a change in M 2 without altering A i...d i between steps 4 and 30. Now, at line 6 we set M 2 = ( H 3 D 0 B 29 ) 9 G(B 29,C 29,D 29 ) A 29 K 30 (5) With this new value of M 2 we get in the end H 3 = H 3. Finally we correct this change by setting C 0 = (B 3 B 2 ) r 3 f 3 (B 2,C 2,D 2 ) M 2 K 2. With this new value of C 0 = A 2 we keep the same B 3 as with the original choice of M 2. We can thus choose the output value H 3 by modifying M 2 and correcting C 0. However, H 0, H 1 and H 2 are random for the attacker. Hence, 96 bits have to be bruteforced to invert the 32-step function. This gives a total cost of 2 96 trials. We experimentally verified the correctness of our algorithm by searching for inputs that give H 2 = H 3 = 0 (see Appendix A). 2.3 Preimage Attack on 45 Steps We present here an attack that computes 45-step preimages within trials and negligible memory. This combines a MITM with a conditional linear approximation of the step function. In short, the attack is based on the fact that M 2 appears at the very beginning and that M 6 and M 9 appear at the very end of 45-step MD5. Another key observation is that M 2 is used only once in the first 25 steps, and M 6 and M 9 are used only once after step 25. Algorithm 2 describes the attack for finding a preimage of H 0... H 3. Correctness of the Attack. First, we use again (at line 1) the trick to absorb the modification of C 0, necessary to keep the forward stage unchanged with the new value of M 2. Then, observe that between steps 25 and 45, M 6 and M 9 are input at steps 44 and 45 (cf. Table 1)

7 Algorithm 2 Preimage attack on 45-step MD5. 1. set A 0 = H 0, B 0 = 0, D 0 = H 3 (We thus need A 45 = 0, B 45 = H 1, D 45 = 0. Note that we ll have f 45(B 44, C 44, D 44) = f 45(C 45, D 45, A 45) = C 45.) 2. repeat 3. pick M 0 such that B 1 = 0xffffffff 4. set arbitrary values to the remaining M i s except M 6 and M 9 5. for all 2 64 choices of C 0 and (M 6, M 9) such that M 9 = ((M 6 19) + (M 6 23)) (Here 23 coincides with r 44 and 19 = r 44 r 45) 6. compute A D 25, store it in a list L 7. for M 6 = M 9 = 0 and all 2 64 choices of C 45 and M 2 8. compute A D if this A D 25 matches an entry in L then 10. correct C 0 to keep B 3 unchanged 11. return A 0... D 0 and M 0... M 15 (Here the message contains the M 2, M 6, M 9 corresponding to the matching entries) at line 7 we use values of M 6 and M 9 distinct from the ones used in the forward stage (line 5) Hence, by setting M 6 and M 9 to the values chosen the matching L entry, we would expect different values of B 44 = C 45 and B 45 than the (zero) ones used for the backward computation. Recall (cf. line 1) that we need A 45 = 0, B 45 = H 1, D 45 = 0, hence the values of C 45 will not matter; we would however expect a random B 45 from the new values of M 6 and M 9. The trick used here is that the condition imposed on M 6 and M 9 at line 5 implies that the new B 45 equals the original H 1 = H 1 with probability 2 4 instead of 2 32 for random values (see below). The attack thus succeeds to find a 96-bit preimage when the MITM succeeds and B 45 = H 1, that is with probability = Storage for 2 68 bytes is required for the MITM. For full (128-bit preimage) we bruteforce the 32 remaining bits thus the costs grows to trials. Reducing the Memory Requirements. By using a cycle-finding algorithm (as for instance [11,16]) the memory requirements of the meet-in-the-middle step of the attack can be significantly reduced. Hence, we can find a preimage for 45- step MD5 with a complexity of about and negligible memory requirements. On the Choice of M 6 and M 9. We explain here why the condition gives B 45 = H 1 with high probability. M 9 = (M M 6 23)

8 Consider the last two steps (44 and 45): because A 45 = D 45 = 0 we have C 44 = D 44 = 0 and B 43 = C 43 = 0. Hence we have f i (B,C,D) = B C D = B + C + D in these two steps. Note that A 43 and D 43 depend on the C 45 used for the backward computation. Now we can compute B 44 and B 45 (note r 44 = 23,r 45 = 9) For simplicity we rewrite Now we can express B 45 : B 44 = (A 43 + D 43 + K 43 + M 6 ) 23 B 45 = (A 44 + B 44 + K 44 + M 9 ) 4 + B 44 B 44 = (X + M 6 ) 23 B 45 = ((Y + B 44 + M 9 ) 4) + B 44 B 45 = ((Y + ((X + M 6 ) 23) + M 9 ) 4) + ((X + M 6 ) 23) (6) Since (cf. line 7 of the algorithm) we chose (M 6,M 9 ) = (0,0) this simplifies to B 45 = ((Y + (X 23)) 4) + (X 23) (7) Consider now the case M 9 = (M M 6 23); Eq. (6) becomes: B 45 = ((Y + ((X + M 6 ) 23) ((M 6 19) + (M 6 23))) 4) (8) +((X + M 6 ) 23) We will simplify this equation by using the generic approximation: (A + B) k = A k + B k (9) Daum showed [2, 4.1.3] that Eq. (9) holds with probability about 2 2 for random A and B. We first use this approximation to replace (X + M 6 ) 23 by (X 23) + (M 6 23). Thus Eq. (8) yields B 45 = ((Y + (X 23) (M 6 19)) 4) + (X 23) (10) +(M 6 23) Finally we approximate (Y + (X 23) (M 6 19)) 4 by and Eq. (10) becomes ((Y + (X 23)) 4) ((M 6 19) 4) B 45 = ((Y + X 23) 4) + (X 23) Note that this is the same equation as for (M 6,M 9 ) = (0,0) in Eq. (7). Hence, we get the correct value in B 45 with a probability of 2 4, since we used two approximations 3. 3 The exact probability is according to Daum s formulas.

9 Delayed-Start Attack. This attack strategy can be applied to invert the 47 steps from step 16 to 62, using M 6 in place of M 2, and the pair (M 4,M 11 ) instead of (M 6,M 9 ). 2.4 Preimage Attack on 47 Steps In the following we will show how to construct a preimage for the compression function of 47-step MD5 with a complexity of about This attack combines the 32-step attack with a meet-in-the-middle (MITM) strategy. The latter is made possible by the invertibility of the step function. The attack on 47-step MD5 can be summarized as follows: 1. set initial state variable to absorb a change in C 0, as in the 32-step attack 2. compute A 29...D 29 for all 2 32 choices of C 0 and save the result in a list L 3. compute A 30...D 30 for all 2 32 choices of C 47 and meet in the middle by finding a matching entry in L Algorithm 3 describes the attack more formally. Algorithm 3 Preimage attack on 47-step MD5. 1. set B 0 = 0 and A 0, C 0, D 0 to arbitrary values 2. repeat 3. pick M 0 such that B 1 = 0xffffffff 4. pick arbitrary values for M 1... M for all 2 32 choices of C 0 6. compute A D 29, store it in a list L 7. set A 47 = H 0 A 0, B 47 = H 1 B 0, D 47 = H 3 D 0 8. for all 2 32 choices of C compute (backwards) A D if L contains an entry A 30 = D 29, C 30 = B 29, D 30 = C 29 then 11. modify M 2 to have B 30 = ((A 29 + f(b 29, C 29, D 29) + M 2 + K 29) 9) + B correct C 0 to keep B 3 unchanged 13. compute the final hash value H0... H3 14. return A 0... D 0 and M 1... M 15 Again this attack essentially exploits the absorption of 32 bits during the early steps to save a 2 32 complexity factor. Note that when the MITM succeeds, i.e. when the line 10 predicate holds, we only have a 96-bit preimage because H 2 = C 47 + C 0 is random. This is because both C 0 and C 47 are random for the attacker. Each repeat loop hence succeeds in finding a 96-bit preimage with probability 2 32, and costs 2 32 trials. This is respectively because

10 1. we have = 2 64 candidate pairs that each match with probability the cost of the two for loops amounts to 2 32 computations of the compression function The total cost for finding a 128-bit preimage is thus = 2 96, with a required storage of 2 36 bytes (64 Gb) for the MITM. This allows us to find preimages on the 47-step MD5 compression function 2 32 times faster than bruteforce. However it doesn t directly give a preimage attack for the hash function because the initial value is here partially random, whereas in the hash function it is fixed. 3 Preimage Attacks on 3-Pass HAVAL HAVAL was proposed with either 3, 4, or 5 passes, i.e. 96, 128, or 160 steps. It has message blocks and hash values twice as large as MD5, i.e bits (32 words) and 256 bits (8 words) respectively. In the following, we present two methods to invert the compression function of 3-pass HAVAL. Both attacks have a complexity of about compression function evaluations. Like in the attacks on step-reduced MD5, we combine a generic MITM with weaknesses in the design of the compression function. In detail, we exploit the properties of the Boolean functions to absorb differences in its input and special properties of the message ordering in 3-pass HAVAL. But before describing the attacks, we give a short description of 3-pass HAVAL. Fig. 2. The step function of HAVAL.

11 3.1 Short Description of 3-Pass HAVAL The structure of HAVAL is similar to that of MD5: registers A 0,B 0,...,G 0,H 0 are initialized to the input chain values and finally the function returns (H 0,...,H 7) = (A 96 + A 0,B 96 + B 0,...,G 96 + G 0,H 96 + H 0 ) after 96 steps that set A i = B i 1, B i = C i 1, C i = D i 1, D i = E i 1 E i = F i 1, F i = G i 1, G i = H i 1 H i = A i f i (B i 1,C i 1,D i 1,E i 1,F i 1,G i 1,H i 1 ) 7 + K i + M σ(i) Table 2. Values of σ(i) in 3-pass HAVAL for i = 1,..., 96 (we boldface the key inputs of M 5 and M 6). Step index i Message word σ(i) Step index i Message word σ(i) Step index i Message word σ(i) Step index i Message word σ(i) Step index i Message word σ(i) Step index i Message word σ(i) We thus have H i = G i+1 = F i+2 = E i+3 = D i+4 = C i+5 = B i+6 = A i+7 for i = Like in MD5 the step function is invertible, and uses step-specific constants, Boolean functions f i, and message words M σ(i). The step functions are defined as (with e.g. BC = (B C)): f i (B,C,...,H) = FE BH CG DF D if 0 < i 32 f i (B,C,...,H) = ECH CGH CE EG CD FH GF BC B if 32 < i 64 f i (B,C,...,H) = CDE CF DG EB EH H if 64 < i 96 The σ(i) s are in Table 2. See [22] or [20] for a complete specification. 3.2 Preimage Attack A Suppose we seek a preimage of H 0... H 7 with an arbitrary value for H 6 ; that is, we only want a 224-bit preimage. In the attack below we exploit the properties

12 of the Boolean function f i to absorb a difference in the input, and combine it with a MITM to improve on bruteforce search. Algorithm 4 describes the attack in detail. Algorithm 4 Preimage attack A on 3-pass HAVAL. 1. set C 0 = 0, D 0 = H 3 0xffffffff, E 0 = F 0, H 0 = 0, and arbitrary A 0B 0G 0 (We need to assume D 96 = 0xffffffff for our attack to work) 2. repeat 3. choose an arbitrary message for which H 1 = 0xffffffff and H 3 = H 5 = 0 (This guarantees that differences in G 0 will be absorbed in the first 6 rounds) 4. for all 2 64 choices of G 0 and M 5 (A difference in M 5 only changes G 96 after step 48) 5. compute A H 48 and store it in a list L. 6. set A 96 = H 0 A 0,..., H 96 = H 7 H 0 7. for all 2 64 choices of G 96 and M 6 8. compute A H 48 by going backwards 9. if this A H 48 matches an entry in L then 10. correct G 0 such that A 7... H 7 remains unchanged 11. return A 0... H 0 and M 0... M 31 In the end the computed image H is the same as the image sought H except (with probability ) for H 6 = G 96 + G 0. Here M 5 and M 6 are used as neutral words, respectively in the second and the first part of the attack; the change in G 0 will correct the change in M 6, while being absorbed during the first six steps. Furthermore, if the MITM condition at line 8 is satisfied then we directly get a 224-bit preimage, because at line 6 we choose A 96...F 96 H 96. Indeed we have 2 64 candidates for A 48,...,H 48 resulting from the forward computation and 2 64 candidates resulting from the backward computation, so we ll find a match and thus a partial preimage with probability Hence, by repeating the attack times we ll find a 224-bit preimage with about = compression function evaluations. We need storage for 2 69 bytes to perform the MITM. Note that a full (256-bit) preimage is obtained by bruteforcing the 32 remaining bits, increasing the cost to trials. 3.3 Preimage Attack B This attack exploits the fact that M 2 appears at the very beginning in the first pass and at the very end in the last pass. By combining this with absorption of the Boolean function in the early steps (similarly to our attack on 47-step MD5), we can construct a 192-bit preimage within about trials. By repeating the attack about 2 64 times we can construct a preimage for the compression function with complexity of about instead of the expected compression function

13 evaluations. Algorithm 5 computes a preimage of H0... H 7 where all Hi s are fixed but H 2 and H 6 (i.e. a 192-bit preimage): Algorithm 5 Preimage attack B on 3-pass HAVAL. 1. set A 0 = H 0, B 0 = H 1, D 0 = H 3, E 0 = H 4, F 0 = H 5, G 0 = 0. (To get a 192-bit preimage we thus need A 96 = B 96 = 0, D 96 = E 96 = F 96 = 0, G 96 = H 7) 2. repeat 3. pick an arbitrary message for which the state variable H 1 = 0. (This guarantees that a change in C 0 will only affect A 2) 4. for all 2 64 choices of C 0 and H 0 5. compute A H 60 and store it in a list L. 6. for all 2 64 choices of C 96 and H compute A H if L contains a tuple such that A 61 = B 60,..., G 61 = H 60 then 9. modify M 2 to have H 61 = (A 60 11) + (f 61(... ) 7) + M 2 + K correct C 0 and H 96 accordingly 11. return A 0... H 0 and M 0... M 15 The MITM will succeed (line 8 of Algorithm 5) with probability 2 96 = /2 224, hence = trials are required to get a 192-bit preimage (and storage 2 69 bytes). A full (256-bit) preimage is obtained by bruteforcing the 64 remaining bits, which increases the cost to trials. 4 Extension to the Hash Functions In this section, we will show how to extend the preimage attacks on the compression of step-reduced MD5 and 3-pass HAVAL to the hash function. The extension of the attacks to the hash function is constrained by the padding rule and the the predefined IV. The padding rule of MD5 and HAVAL forces the last bits of the message to encode its length. Thus a preimage attack should find messages that match this constraint. In our attacks we have no restrictions on the last message words and hence the padding rule is no problem; in each of the attacks proposed, we shall simply choose the end of the message to be of the form l, where l represents the bitlength of the original message (without the padding bits). However, the IV of our preimages for the compression function is different from the fixed one; e.g. in the attack on MD5 reduced to 47-steps we require B 0 = 0, and get a random value for C 0. There are several methods to turn our attacks into preimage attacks starting from the predefined IV, as described in the next two sections; the general idea will be to find many preimages (with

14 partially random initial value) and to find many images of the fixed IV, and then combine them to bridge the gap between the IV and the image. 4.1 Basic Meet-in-the-Middle Suppose we want a preimage of H. This attack sets a parameter 0 < x < n, and first computes 2 x preimages ( H i, M i ), i = 0,...,2 x 1, that is, such that f( H i, M ) = H; the M i s are chosen to have convenient padding bits. Then the attack computes 2 n x random images H j = f(iv,m j ), j = 0,...,2 n x 1, for random M i s and the IV specified for the function. Finally we find a pair (i,j) such that H i = H j, and return the message M = M j M i as a preimage of H. Because there s in total 2 n pairs (i,j), the attack will work with high probability. For reduced-step MD5 with the optimal x we compute forward random chain values and compute backward 2 16 preimages within = trials. The total cost of the 47-step preimage attack is thus about trials and memory for a preimage attack. For 3-pass HAVAL we compute forward chain values and backward 2 16 preimages within = trials. The total cost is trials plus memory for a preimage attack. 4.2 Tree Approach This attack is an improved version of the meet-in-the-middle above. It is based on the finding of multi-target preimages, and the construction of a tree whose root is the target image. This is exactly the technique described in [6], (a similar approach was published before by Mendel and Rijmen in [10]). To summarize, we proceed in two stages 1. Backward stage: use a tree-based technique to compute a set S of multi-block preimages 2. Forward stage: compute images of random message blocks with the predefined IV until one lies in S For MD5 the forward stage costs 2 96 trials and the backward stages costs = trials to compute 32-block preimages, plus storage for 2 33 message blocks (i.e bytes). Applied to 3-pass HAVAL we get a preimage attack that makes trials and needs 2 71 bytes of storage. 5 Conclusion We presented the first preimage attacks for the hash functions 3-pass HAVAL and step-reduced MD5: we described several preimage attacks on the MD5 compression function that invert up to 47 (out of 64) steps within 2 96 compression function evaluations, instead of the expected 2 128, and two preimage attacks on the 3-pass HAVAL compression function that cost compression function evaluations instead of We extended our best attacks to the hash functions (with padding and fixed IV) for a cost of and trials, respectively.

15 Although these attacks are not practical (notably due to large memory requirements), they show that the security margin of 3-pass HAVAL and step-reduced MD5 with respect to preimage attacks is not as high as expected. Acknowledgments We would like to thank Kazumaro Aoki and Yu Sasaki for communicating us theirs results on MD5 and making helpful comments. References 1. Ronald Cramer, editor. Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings, volume 3494 of LNCS. Springer, Magnus Daum. Cryptanalysis of Hash Functions of the MD4-Family. PhD thesis, Ruhr Universität Bochum, Debapratim De, Abishek Kumarasubramanian, and Ramarathnam Venkatesan. Inversion attacks on secure hash functions using SAT solvers. In João Marques- Silva and Karem A. Sakallah, editors, SAT, volume 4501 of LNCS, pages Springer, Bert den Boer and Antoon Bosselaers. Collisions for the compression function of MD5. In Tor Helleseth, editor, EUROCRYPT, volume 765 of LNCS, pages Springer, Hans Dobbertin. The first two rounds of MD4 are not one-way. In Serge Vaudenay, editor, FSE, volume 1372 of LNCS, pages Springer, Gaëtan Leurent. MD4 is not one-way. In Kaisa Nyberg, editor, FSE 2008, LNCS. Springer, To appear. 7. Jongsung Kim, Alex Biryukov, Bart Preneel, and Sangjin Lee. On the security of encryption modes of MD4, MD5 and HAVAL. In Sihan Qing, Wenbo Mao, Javier Lopez, and Guilin Wang, editors, ICICS, volume 3783 of LNCS, pages Springer, Vlastimil Klima. Tunnels in hash functions: MD5 collisions within a minute. Cryptology eprint Archive, Report 2006/105, Eunjin Lee, Jongsung Kim, Donghoon Chang, Jaechul Sung, and Seokhie Hong. Second preimage attack on 3-pass HAVAL and partial key-recovery attacks on NMAC/HMAC-3-pass HAVAL, To appear. 10. Florian Mendel and Vincent Rijmen. Weaknesses in the HAS-V compression function. In Kil-Hyun Nam and Gwangsoo Rhee, editors, ICISC, volume 4817 of LNCS, pages Springer, Jean-Jacques Quisquater and Jean-Paul Delescaille. How easy is collision search? Application to DES (extended summary). In Jean-Jacques Quisquater and Joos Vandewalle, editors, EUROCRYPT, volume 434 of LNCS, pages Springer, Ronald Rivest. RFC The MD5 Message-Digest Algorithm, Bart Van Rompay, Alex Biryukov, Bart Preneel, and Joos Vandewalle. Cryptanalysis of 3-pass HAVAL. In Chi-Sung Laih, editor, ASIACRYPT, volume 2894 of LNCS, pages Springer, 2003.

16 14. Yu Sasaki and Kazumaro Aoki. Preimage attack on step-reduced MD5. In Yi Mu and Willy Susilo, editors, ACISP 2008, LNCS. Springer, To appear. 15. Yu Sasaki and Kazumaro Aoki. Preimage attacks on one-block MD4, 63-step MD5 and more. In Roberto Avanzi, Liam Keliher, and Francesco Sica, editors, SAC 2008, LNCS. Springer, To appear. 16. Robert Sedgewick, Thomas G. Szymanski, and Andrew Chi-Chih Yao. The complexity of finding cycles in periodic functions. SIAM Journal of Computing, 11(2): , Marc Stevens, Arjen K. Lenstra, and Benne de Weger. Chosen-prefix collisions for MD5 and colliding X.509 certificates for different identities. In Moni Naor, editor, EUROCRYPT, volume 4515 of LNCS, pages Springer, Xiaoyun Wang, Xuejia Lai, Dengguo Feng, Hui Chen, and Xiuyuan Yu. Cryptanalysis of the hash functions MD4 and RIPEMD. In Cramer [1], pages Xiaoyun Wang and Hongbo Yu. How to break MD5 and other hash functions. In Cramer [1], pages Hirotaka Yoshida, Alex Biryukov, Christophe De Cannière, Joseph Lano, and Bart Preneel. Non-randomness of the full 4 and 5-pass HAVAL. In Carlo Blundo and Stelvio Cimato, editors, SCN, volume 3352 of LNCS, pages Springer, Hongbo Yu, Xiaoyun Wang, Aaram Yun, and Sangwoo Park. Cryptanalysis of the full HAVAL with 4 and 5 passes. In Matthew J. B. Robshaw, editor, FSE, volume 4047 of LNCS, pages Springer, Yuliang Zheng, Josef Pieprzyk, and Jennifer Seberry. HAVAL - a one-way hashing algorithm with variable length of output. In Jennifer Seberry and Yuliang Zheng, editors, ASIACRYPT, volume 718 of LNCS, pages Springer, A Partial Preimage for 32-Step MD5 With the IV H 0 = 0x H 1 = 0x H 2 = 0x382ca539 H 3 = 0x and the message M 0 = 0xb11de410 M 4 = 0x792a351e M 8 = 0x6d32a030 M 12 = 0x1dd5ec6d M 1 = 0x5c0cd1ec M 5 = 0x420582b7 M 9 = 0x16b2e752 M 13 = 0x4794f768 M 2 = 0xd7d35ac7 M 6 = 0x77v8de3d M 10 = 0x3b70c422 M 14 = 0x04fef18f M 3 = 0x5704c13b M 7 = 0x2476b43b M 11 = 0x685cb2aa M 15 = 0x we get the image H 0 = 0xb4df93c9 H 1 = 0x3348e3f2 H 2 = 0x H 3 = 0x This was found in fewer than five minutes on our 2.4 GHz Core 2 Duo, whereas brute force would take about 2 64 trials (thousands of years on the same computer).